We collect, use and are responsible for certain Personal Information about you. When we do so we are subject to data protection laws, including the UK General Data Protection Regulation, and we are a ‘controller’ of your Personal Information for the purposes of those laws.
- For information concerning Aviva please visit aviva.com
- For a full list of the Aviva trading companies in the UK please see our list of Aviva companies
- “Clients” - means the end clients who you act for as an Aviva intermediary.
- “Intermediary Firm” - means a firm acting as an adviser, broker and/or healthcare intermediary capacity.
- “Intermediary Tools” - means tools and resources that Aviva makes available for use by Intermediary Firms when conducting business with Aviva, including the Aviva Connect website and APC Online.
- “Personal Information” - means any information relating to an identified or identifiable individual.
- Terms of Business” - means the contract between your Intermediary Firm and Aviva governing their role as an intermediary for Aviva products and services.
- “you”, “your” - an individual who is employed by, works for, manages or owns an Intermediary Firm which conducts business with Aviva.
Personal Information we collect about you
We may collect and use the following Personal Information about you:
- Basic personal details such as your name, address, email address, telephone number and postcode;
- Account registration details, such as username and password;
- Information about the Intermediary Firm you work for and your role within the firm, including the firm name, firm size, your firm role and FCA number;
- Information about your marketing preferences;
- If you are a director or partner of your Intermediary Firm, we may need to check and verify your identity and will collect information about your date of birth, National Insurance Number and current and previous three years’ addresses together with performing credit or other financial checks on you;
- Transactions you have completed and quotations you have requested;
- Information about how you use and interact with the Intermediary Tools, Aviva’s websites, communications you receive from Aviva and other systems;
- Your responses to surveys, competitions and promotions;
- Information about continued professional development activity that you complete with Aviva.
This Personal Information is required to provide products and/or services to you in your capacity as an intermediary for Aviva. If you do not provide Personal Information we ask for, it may delay or prevent us from providing these products and/or services to you.
How your Personal Information is collected
We collect Personal Information about you when you or your Intermediary Firm does business with us, including dealings we have with you through a number of channels, such as:
- If you create an online user account or use the Intermediary Tools;
- If you participate in any surveys, competitions or promotions;
- If you record continued professional development activity with us;
- If you take part in activities for the Aviva Community Fund;
- If you contact or communicate with us by telephone, mail, email, text, via an Intermediary Tool or in person;
- Via our IT systems, e.g. automated monitoring of our websites and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems.
Use of third-party information
We obtain information about your Intermediary Firm and your Clients from our third-party suppliers and databases (including, for example, Diligenta, FNZ, Capita, iPipeline and Acturis). We also use commercial property websites and government websites that assist with marketing insights, pricing research, product development and business strategy and to help us detect and prevent fraudulent activity (including, for example, third party sanction screening providers and credit reference agencies). This includes publicly available information for example from the FCA and Companies House.
We may also gain information from other third parties with your consent, e.g. your bank.
How and why we use your Personal Information
Under data protection law, we can only use your Personal Information if we have identified a legal basis for doing so, such as:
- to comply with our legal obligations;
- for the performance of our contract with you or to take steps at your request before entering into a contract;
- for our legitimate interests or those of a third party; or
- where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The sections below explain what we use (process) your Personal Information for, our reasons and legal basis for doing so:
1. To allow you and your Intermediary Firm to do business with us - we will use your Personal Information to:
- set up an account with us;
- maintain that account;
- allow you to access and make use of the Intermediary Tools;
- administer and manage products that your Clients have with us; and
- manage queries and complaints which may involve you, your Intermediary Firm or your Clients;
We use Personal information for the purposes outlined in this paragraph 1 to support the legitimate interests of our business as an insurer, and also to perform our contract to provide your Intermediary Firm with products and services in accordance with the Terms of Business we have in place and in the interests of providing an efficient service to you, your firm and your Clients.
2. To market our products and services and make improvements to our operations:
- we will use your Personal Information to keep you informed about our products and services that we think will be of interest to your Clients, consistent with your marketing preferences. We explain more about this in our section on Marketing;
- we will also use your Personal Information for research and statistical purposes to analyse how you use our websites and Intermediary Tools so we can improve our understanding of your needs and enhance our products and services.
We use Personal Information for the purposes outlined in this paragraph 2 for our legitimate interests or those of a third party, to promote our business and to be as efficient as we can so we can deliver the best service for you.
3. To meet responsibilities we have to our regulators, tax officials, law enforcement and other similar bodies:
- if you are a director or partner of your Intermediary Firm, we will carry out appropriate verification and credit checks. We use Personal Information for these purposes to comply with requirements we have under financial conduct rules and laws relating to anti-money laundering and financial crime and to prevent and detect fraud (see our section on Fraud Prevention and Detection for more information);
- gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies;
- carry out necessary background checks to make sure you and your Intermediary Firm are legitimate persons to do business with in accordance with our Terms of Business (we explain more about this in our section on Fraud Prevention and Detection);
- preventing unauthorised access and modifications to systems and Intermediary Tools; and
- ensuring the confidentiality of commercially sensitive information.
We use Personal Information for the purposes outlined in this paragraph 3 to meet our legal obligations and for our legitimate interests or those of a third party, to prevent and detect criminal activity that could be damaging for us and for you.
If you would like to know more about any of the legal reasons or legitimate interests that apply to a particular way in which we use Personal Information you can contact us at any time.
Who we share your Personal Information with
We will also share Personal Information about you with:
- our regulators and law enforcement as necessary for purposes of Fraud Prevention and Detection;
- online or digital partners we work with so we can communicate with you through their platforms;
- other third-party systems providers whose systems you request access to as part of your online account registration with us;
- your Clients if they have queries about the services between you, them and us;
- Aviva group companies;
- third parties we use to help deliver our products and services to you, e.g. payment service providers;
- other third parties we use to help us run our business, e.g. marketing agencies or website hosts;
- third parties approved by you, e.g. social media sites you choose to link your account to or third-party payment providers;
- credit reference agencies; and
- our banking partners.
We only allow our service providers to handle your Personal Information if we are satisfied that they take appropriate measures to protect your Personal Information. We may also share Personal Information with external auditors.
We may also need to share some Personal Information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, Personal Information will be anonymised, but this may not always be possible. The recipient of the Personal Information will be bound by confidentiality obligations.
We may use your Personal Information to send you updates (by email, text message, telephone, post or on social media) about our products and services, including promotions and new products and services. We may also display marketing to you on our websites and Intermediary Tools.
We have a legitimate interest in processing your Personal Information for marketing purposes (see the section above on How and why we use your Personal Information) and you can always unsubscribe at any time.
You have control over our use of your Personal Information for marketing purposes. You can change your marketing preferences at any time either within the profile settings of your online account or by emailing us at DATAPRT@aviva.com. And you can always ‘opt out’ of receiving email marketing by using the unsubscribe links you will find in our marketing emails.
Cookies and other technologies
We rely on third-party advertising technology (such as the deployment of cookies or small text files on our websites and Intermediary Tools) to collect information about you. This technology is used to optimise what you may see on our websites and Intermediary Tools and deliver content when you are browsing elsewhere. We may also collect information about your use of other websites. We do this to provide you with advertising that we believe may be relevant for you, as well as to improve our own products and services.
Social media and online platforms
We share Personal Information with media agencies and social media and other online platforms to help us target our online marketing. Social media and other online platforms may also use Personal Information they hold and combine it with Personal Information received from us to create target audiences. These are audiences that we think would be interested in our online advertising. This may involve social media and other online platforms building a ‘lookalike’ profile of the type of person we are trying to target and providing specific adverts to those people when they browse the internet or use social media.
We use automated processes to help us provide more personalised marketing of our products. To do this, our automated process creates a marketing profile for you using Personal Information such as:
- identification data;
- contact data;
- data about your Intermediary Firm;
- behavioural data (e.g. data relating to your use of our websites); and
- data about your trading activities on our Intermediary Tools.
Our process analyses this data to determine the most relevant products, services, offers or benefits to offer to you and to decide the appropriate time and channel for offering them to you.
Promotions and competitions
We occasionally run promotions and competitions for our Intermediary Firms. Our communications to you about these promotions and competitions before you enter them are marketing. If you opt out of direct marketing, you will not receive communications about promotions and competitions.
We may use your Personal Information to select you as a winner, inform you of promotion and competition outcomes and send prizes to your nominated address. We may use third party fulfilment partners to assist us in administering promotions and competitions, including contacting you on our behalf. In accordance with the rules of the Advertising Standards Authority, we may publish or make publicly available information that indicates that a valid award has taken place. If we do this, only your surname, country and, if applicable, your winning entry, will be published. You have the right to object to this use of your Personal Information.
Important note on your responsibilities when handling Client Personal Information
Your Intermediary Firm is responsible for the lawful collection of Personal Information relating to any Clients with whom you do business. This includes collection and use of Personal Information about your Clients and any third parties whose details we may need to prepare a policy or personalised quote at your request. Your Intermediary Firm must, at all times, have your Client’s authority to share their Personal Information with us and it is your firm’s responsibility to ensure your Clients are provided with fair processing notices which explain our arrangements to them and secure any necessary consents or other legal basis that may be required to allow their Personal Information to be shared with us.
Your Intermediary Firm is expected to not act in any way in relation to your handling of Client’s Personal Information which might reasonably damage the reputation or goodwill of Aviva or its relationship with its Clients. Your firm must provide to us all information in your possession concerning any unauthorised or accidental disclosure of, or access to, the Personal Information of your Clients, including as a result of any unauthorised access to the Intermediary Tools.
Fraud prevention and detection
In order to prevent and detect fraud we may at any time:
- share information about you with other organisations and public bodies including the Police;
- undertake credit searches and additional fraud searches;
- check and/or file your details with fraud prevention agencies and databases and, if you give us false or inaccurate information and we suspect fraud, we will record this to prevent fraud and money laundering.
We can supply on request further details of the agencies and databases we access or contribute to and how this information may be used. If you require further details, contact us at:
Policy Investigation Unit, Policy Investigation Unit, Po Box 121, Surrey Street, Norwich, NR1 3ZH
Telephone: 0345 300 0597
We and other organisations may also receive information from these agencies and databases to:
- help make decisions about the provision and administration of insurance, credit and related services;
- trace debtors or beneficiaries, recover debt or prevent fraud;
- check your identity to prevent money laundering, unless you furnish us with other satisfactory proof of identity.
Any requests for information we receive from law enforcement or regulators will be carefully validated before Personal Information is disclosed.
International data transfers
Information may be held at our offices and those of our Aviva group companies, third party agencies, service providers, representatives and agents as described above (see above section on Who we share your Personal Information with).
Sometimes we, or third parties acting on our behalf, may need to transfer Personal Information outside of the UK. We’ll always take steps to ensure that any transfer of Personal Information outside the UK is carefully managed to protect your privacy rights and ensure that adequate safeguards are in place. This might include transfers to countries that the UK considers will provide adequate levels of data protection for your Personal Information (such as countries in the European Economic Area) or putting contractual obligations in place with the party we are sending information to. Transfers within the Aviva group will be covered by an agreement entered into by members of the Aviva group (an intra-group agreement) which contractually obliges each group company to ensure that your Personal Information receives an adequate and consistent level of protection wherever it is transferred within the group.
For more information about data transfers and the safeguards we have put in place, please contact us.
How long your personal information will be kept
We will keep your Personal Information while your Intermediary Firm has Terms of Business with Aviva or we are providing products and/or services to you. Thereafter, we will keep your Personal Information for as long as is necessary:
- to respond to any questions, complaints or claims made by you or on your behalf;
- to show that we treated you fairly; and
- to keep records required by law.
We may also retain Personal Information in an aggregated form which allows us to continue to develop and improve our products and services.
When it is no longer necessary to retain your Personal Information, we will delete or anonymise it.
You have legal rights under data protection laws in relation to your Personal Information.
- Access to your Personal Information
- Withdrawing consent
- Rectification of your Personal Information
- Erasing your Personal Information
- Restricting our use of your Personal Information
- Objecting to our use of your Personal Information
- Requesting transfer of your Personal Information
- Objecting to automated decision-making and profiling
We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure we only disclose information where we know we’re dealing with the right individual.
We aim to respond to all valid requests within one month. It may take us longer if the request is particularly complicated or you have made several requests. We’ll always let you know if we think a response will take longer than one month. We may also ask you to provide more detail about what you want to receive or are concerned about.
We may not always be able to do what you have asked. This is because your rights will not always apply, for example if it would impact the duty of confidentiality we owe to others, or if the law allows us to deal with the request in a different way. We will always explain to you how we are dealing with your request. In some circumstances (such as the right to erasure or withdrawal of consent), exercising a right might mean that we can no longer provide our product and services to you.
For further information about your rights or how to exercise them, please contact us.
Access to your Personal Information
You may ask us for a copy of your Personal Information together with specified details about how we use your information. This is commonly known as a ‘subject access request’.
If you wish to make a subject access request, please contact us.
If your request is made electronically, we will, where possible, respond to you electronically. Otherwise, we will normally respond in writing unless you request otherwise.
Where we’ve asked for your consent to use your Personal Information, you’ll always have the right to withdraw such consent. Please contact us if you want to do this. If you withdraw your consent, we may not be able to provide certain products and services to you. If this is the case, we’ll tell you at the time you ask to withdraw your consent.
Rectification of your Personal Information
We do our best to ensure that your Personal Information is accurate and kept up to date. If you believe your information is inaccurate or incomplete, then please contact us to request that we amend or update it.
Erasing your Personal Information
You may ask us to erase your Personal Information, but this right only applies in certain circumstances, for example where:
- it is no longer necessary for us to use your Personal Information for the original purpose;
- our lawful basis for using your Personal Information is consent and you withdraw your consent; or
- our lawful basis is legitimate interests and there is no overriding legitimate interest to continue using your Personal Information if you object.
This isn’t an absolute right and we have to balance your request against other factors such as legal or regulatory requirements, which may mean we cannot erase your Personal Information.
Restricting our use of your Personal Information
You may ask us to stop using your Personal Information in certain circumstances such as:
- where you have contacted us about the accuracy of your Personal Information and we are checking the accuracy;
- if you have objected to your Personal Information being used based on legitimate interests.
This isn’t an absolute right and we may not be able to comply with your request.
Objecting to our use of your Personal Information
You can object if you no longer wish to receive direct marketing from us. Please see our section on Marketing for further information.
You may also object where you have grounds relating to your particular situation and the lawful basis we rely on for using your Personal Information is our (or a third party's) legitimate interests. However, we may continue to use your Personal Information where there are compelling legitimate grounds to do so.
Requesting transfer of your Personal Information
In some cases, you can ask us to transfer Personal Information that you have provided to us to another third party of your choice. This right only applies where:
- we have justified our use of your Personal Information based on your consent or the performance of a contract with you; and
- our use of your Personal Information is by electronic means.
Objecting to automated decision making and profiling
You have the right not to be subject to a decision using your Personal Information which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. This right does not apply if the decision is:
- necessary for the purposes of a contract between us and you;
- authorised by law (e.g. to prevent fraud); or
- based on your explicit consent.
You do however have a right to request human intervention, express your view and challenge the decision.
We have appropriate security measures in place to prevent Personal Information from being accidentally lost or used or accessed unlawfully. We limit access to your Personal Information to those who have a genuine business need to access it. Those processing your Personal Information will do so only in an authorised manner and are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
- Write to: The Data Protection Team, Aviva, PO Box 7684, Pitheavlis, Perth PH2 1JR
- Email us: DATAPRT@aviva.com
If you’re not happy with the way we’re handling your Personal Information, you have a right to make a complaint with your local data protection supervisory authority at any time. In the UK this is the Information Commissioner's Office (ICO). We ask that you please attempt to resolve any issues with us before contacting the ICO.